README.md

Introduction

Since 2021, I have developed a number of scripts to assist me with my investigations and remediation efforts. I figured, why not share them to the public, in hopes it helps you.

How do these scripts work?

The scripts I developed are intended to work with Crowdstrike Endpoint Detection and Response (EDR). Essentially cloud scripts to quickly remediate devices remotely with a single click of a button.

Why create these scripts?

The purpose of my scripts is to assist a SOC or Incident Response Analyst with their investigation. Some scripts assist with remediation of a particular unwanted software/adware. Other scripts assist with investigating a particular system by username to provide more visibility.

Table of content

Manual Cloud Scripts

• WinInspect - WinInspect is a light-weight tool to assist an analyst with providing more visibility into a Windows system based on a target username.
• MACInspect - MACInspect is a light-weight tool to assist an analyst with providing more visibility into a MAC system based on a target username.
• LinInspect - LinInspect is a light-weight tool to assist an analyst with providing more visibility into a Linux system based on a target username.
• EnumChromeExt - EnumChromeExt retrieves Chrome Extensions and automatically attempts to detect the name.
• Win-PortScanner - Win-PortScanner is an extremely light port scanner.
• ScanDll - ScanDll is tool to help search processes for a particular dynamic-link library.
• ScanDllv2 - ScanDllv2 is a tool designed to search processes for a specific dynamic-link library using C#. It's much faster than ScanDll, but the output is written to a log file due to issues with standard output display on the CrowdStrike RTR UI.
• RegScanner - An amazingly fast tool designed to search for a registry key or value using a unique keyword.
• UnloadDll - Another amazingly fast tool designed to search for a dynamic-link library loaded in the memory of the process and attempts to unload it using FreeLibrary.
• Win-DiskImage-Toolkit - A simple tool to quickly enumerate or unmount a disk image.
• ScreenConnect-C2Extractor - ScreenConnect-C2Extractor retrieves the C2 from the user.config of ScreenConnect aka ConnectWise Client.
• Win-PacketCapture - A guided script to generate a packet dump for analysis.
• jsonspection - JSONSpection is a utility designed to thoroughly inspect and enumerate JSON data structures. It helps you break down complex or nested JSON blobs, identify all key-value paths, and understand the overall schema and relationships within the data. This makes it useful for debugging APIs, analyzing logs, or preparing data for parsing and automation workflows.
• EvidenceCollection - This script collects common user document types—such as Word files, Excel spreadsheets, text files, PDFs, and emails—from a specified user’s Downloads, Documents, and Desktop directories. It automatically creates the C:\temp\SIRT directory (if it does not already exist) and copies all matching files into that location for centralized review, evidence preservation, or incident investigation. The file types, directories, and username can be customized to fit the needs of the case.

Crowdstrike API Scripts

• CSSession - CSSession is a CrowdStrike API script that allows you to connect via Real-Time-Response by entering a target hostname as an argument. You must have the appropriate api permissions and ensure your clientid / secret is correct to use this script.
• CrowdStrike-API-queued-script - CrowdStrike API Queued script allows you to queue a cloud script of your choice to a target host. You must have the appropriate api permissions and clientid / secret is correct to use this script.

Crowdstrike Remediation Scripts

The following library contains a collection of remediation scripts designed to remove common unwanted software, adware, and malware found in the wild. If you come across a particular program you’d like to remediate, feel free to download the corresponding script and use it in your environment.

• 123Movies
• 39bar
• AceLauncher
• AppMaster
• AppRun
• AskPartnerNetwork
• Ask Toolbar
• BBSK(SecureBrowser)
• Bloom
• BrightTramp
• BrowserAssistant
• ByteFence
• Calendaromatic
• Cash
• Clearbar
• Convertmate
• CrystalPDF
• DSOne Agent
• DebuggerStepperBoundaryAttribute
• DriverSupportAOsvc
• DriverTonic
• Easy2Convert
• Editor
• ElevenClock
• Energy
• Epibrowser
• Framework
• Gallery
• GameCenter
• GamerHash
• Headlines
• Healthy
• IBuddy
• LiteBrowser
• Music
• OneBrowser
• OneLaunch
• OneStart
• Ouroborosbrowser
• PCAcceleratePro
• PCAppStore
• PCHelpSoftDriverUpdater
• PC_Cleaner
• PDFMaker
• PDFProSuite
• PDFSpark
• PDFTool
• PDFast
• PDFunk
• Player
• PowerDoc
• Prime
• RecipeListener
• ReimageProtector
• Restoro
• ShiftBrowser
• Sleuth
• SlimCleaner
• Sogou
• Strength
• Taskbarsystem
• Tone
• Walliant
• WaveBrowser
• WebDiscoverBrowser
• Wellness
• XMRig
• flbmusic
• leading
• streaming
• streamlink-twitch-gui

Do you find my work helpful and want to show your support? Feel free to add me on Twitter. If you'd like to show even more support, you can also tip me at Ko-Fi. There's absolutely no pressure to do so; I appreciate your support either way!

If you would like to contribute by providing your own remediation script, it would be greatly appreciated. Any help in keeping the public safe is highly valued. Please ensure that the code is clear and concise to ensure a smooth review and validation process. Submissions can be sent as an issue. The owner's name will be associated with the remediation script.

Any issues with a script, please feel free to report it as an issue.